gh0strat | a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9

General

Target

a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Size

144KB
MD5

19e0e8ac9b12a73462419a205f63fe21
SHA1

223b5e205b2794df4406a6f706408b2570f62477
SHA256

a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9
SHA512

8026e25f24eaa0f82f6e31b822ad571cb846eaaf8d885ebce45276470486b07b79eb1a7780db5ce6900525eea1c6548aad401cf65f9ca09aee3e7f509847c82d
SSDEEP

3072:5VK1M+IRHl+BSVIKISNq+Ha29M9U5EGzGv48YfIqRDUcEuccxB:5sC+wHlCSQSNqea29M9Udk4wqRDCxc/

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1632-58-0x0000000000400000-0x0000000000427000-memory.dmp	family_gh0strat
behavioral1/files/0x000a000000014142-62.dat	family_gh0strat
behavioral1/memory/1632-63-0x0000000000530000-0x000000000055B000-memory.dmp	family_gh0strat
behavioral1/files/0x000a000000014142-65.dat	family_gh0strat
behavioral1/files/0x00140000000054ab-68.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1552	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1552	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Vlal\Waojxeqoi.gif	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
File created	C:\Program Files (x86)\Vlal\Waojxeqoi.gif	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe
1552	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1632	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Token: SeRestorePrivilege	1632	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Token: SeBackupPrivilege	1632	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Token: SeRestorePrivilege	1632	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Token: SeBackupPrivilege	1632	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Token: SeRestorePrivilege	1632	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Token: SeBackupPrivilege	1632	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Token: SeRestorePrivilege	1632	a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe

C:\Users\Admin\AppData\Local\Temp\a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
"C:\Users\Admin\AppData\Local\Temp\a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1187100.dll

Filesize
101KB

MD5
9a321afedb20299237990eab5f04438a

SHA1
cfa0ee092174d53d23b80d4c08f1b122958c50f1

SHA256
ea4c6fc4b5fe10c83af82d5104d5a9b8c528fd383cce4677c0d10c708732c3bb

SHA512
dd63b78f80897bd585721694f7392daa10550a66b0d3d71371f86aaebec948d09b23a5db8044b0d5c39a119b6cf5e28b77bd23af9f129da6693021673d2de23b

Download Submit
\??\c:\NT_Path.jpg

Filesize
117B

MD5
797622209772cab27184be02d926d1c6

SHA1
d940519a47b18d3924aef95608ff9b1037f4854e

SHA256
14ac8fa5b717a9cc3e115178841fd306f439c36d27b496531eaab98a13256988

SHA512
a67096f169bc3dc720807e2ddf0a8ad373212b25a764ef2ec065c505643fb763973ea348d16ba3b52ba8884d3cf803b494fd4017029cc3dc65db3e299ec70a52

Download Submit
\??\c:\program files (x86)\vlal\waojxeqoi.gif

Filesize
14.2MB

MD5
b8d8ac622f5d28e17cdacfaaa15cf0ec

SHA1
2cdec858492b54d456d4a8a1dcdae25f0bb028d9

SHA256
44ece24262558bacedba8a56204bb9671fc903d5a16208d25d2aa1623ac03118

SHA512
25fbb311ef5a92b6ccbf22afb846e9b5b936d4a18df690485561685e55263aeace08f13185263bf68c6bac2be02137b9d1a9e5af7555633fe1b225b4f1521334

Download Submit
\Program Files (x86)\Vlal\Waojxeqoi.gif

Filesize
14.2MB

MD5
b8d8ac622f5d28e17cdacfaaa15cf0ec

SHA1
2cdec858492b54d456d4a8a1dcdae25f0bb028d9

SHA256
44ece24262558bacedba8a56204bb9671fc903d5a16208d25d2aa1623ac03118

SHA512
25fbb311ef5a92b6ccbf22afb846e9b5b936d4a18df690485561685e55263aeace08f13185263bf68c6bac2be02137b9d1a9e5af7555633fe1b225b4f1521334

Download Submit
memory/1632-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1632-55-0x0000000000530000-0x000000000055B000-memory.dmp

Filesize
172KB

Download
memory/1632-57-0x0000000000240000-0x000000000026B000-memory.dmp

Filesize
172KB

Download
memory/1632-56-0x0000000000240000-0x000000000026B000-memory.dmp

Filesize
172KB

Download
memory/1632-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1632-63-0x0000000000530000-0x000000000055B000-memory.dmp

Filesize
172KB

Download
memory/1632-64-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing